Reputation: 66122
How do I securely encrypt information stored on the user's hard drive?
I'm writing a .Net WinForms application and I need to save a password to access a remote service. I have an XML file that I write all the settings to. However, I don't want to write the password in plain text into the XML configuration file. I thought about using AesCryptoServiceProvider to encrypt the information. This class requires a key to encrypt the data, which I assume I could just leave in the source code of my program. However, this seems to me to only be marginally better than storing it in plaintext, because the key would always be the same, for all instances of my program. I could generate a key upon first starting the program, but then, where would be a good place to store that? One thought that I had is to use a constant key, and a salt that I store along with the password. This would make a unique "key" for each persons machine, without having to store the key out in the open. Is there a standard way of going about storing this type of information on the user's hard drive?
Upvotes: 2
Views: 152
Answers (2)
Reputation: 15008
There are only two options I can think of
- Make the user use a master password - This means that the user is entirely responsible for encrypting the data. This though might annoy them, so look into integrating with the user account.
- Rely on system specific info - I'm not a .NET developer so I'm not sure how much system unique information you can get, but anything you can will help. This is really though will only protect outside users from decrypting the password; anyone with access to the system could theoretically still get it.
Remember though, if your worried about people getting into your app to extract things like keys then they can just as easily print the raw password you need to send before you send it. If your that worried then you need to consider other options
Upvotes: 0
Reputation: 10257
i can't think of a perfect solution for this, but you could use DPAPI ...
this will usually prevent decryption of the file on another system, but will not ultimatively protect the data, since the user can extract additional key bytes from your program, and since he has access to the machine / user key that won't be a problem either ...
if your question is more like "where to store that one final crypto key that can not be avoided?" ... i'd suggest a registry path for each user with strict access permissions
Upvotes: 2
Related Questions
- How to encrypt and decrypt sensitive information in C# without a user-entered password
- Encrypting data for storage in database
- How to encrypt/decrypt for storage of sensitive data (ASP.NET Web API project)
- Files protection
- Encrypting data in C#
- How to encrypt data so that many users can decrypt it?
- .NET: Best practice to encrypt sensitive data on a client application?
- Encryption and Decryption Key, where to store and what to use for .net application
- .net Data encryption? Which classes to use?
- What are the best practices for encrypting data in .NET?